Novom zakrpom ispravljeni su propusti u paketima MozillaFirefox, MozillaThunderbird, mozilla-nss, seamonkey i xulrunner. Propusti zlonamjernim korisnicima omogućuju pokretanje proizvoljnog programskog koda, DoS napad, zaobilaženje postavljenih ograničenja i druge.
| Paket: | Firefox 11.x, mozilla-nss 3.x, SeaMonkey 2.x, thunderbird 11.x, Xulrunner 10.x |
| Operacijski sustavi: | openSUSE 11.4, openSUSE 12.1 |
| Kritičnost: | 8.7 |
| Problem: | cjelobrojno prepisivanje, korupcija memorije, pogreška u programskoj funkciji, preljev međuspremnika |
| Iskorištavanje: | udaljeno |
| Posljedica: | dobivanje većih privilegija, proizvoljno izvršavanje programskog koda, uskraćivanje usluga (DoS), zaobilaženje postavljenih ograničenja |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2011-3101, CVE-2012-0441, CVE-2012-1937, CVE-2012-1938, CVE-2012-1940, CVE-2012-1941, CVE-2012-1944, CVE-2012-1945, CVE-2012-1946, CVE-2012-1947 |
| Izvorni ID preporuke: | openSUSE-SU-2012:0760-1 |
| Izvor: | SUSE |
| Problem: | |
| Višestruki propusti ispravljeni su novom zakrpom, a uzrokovani su nepravilnostima pri rukovanju memorijom, datotekama, prečacima, prepisivanjem spremnika, itd.. |
|
| Posljedica: | |
| Udaljeni zlonamjerni korisnici mogu pokrenuti proizvoljni programski kod, izvesti DoS napad, zaobići postavljena ograničenja i slično. |
|
| Rješenje: | |
| Korisnike se upućuje na pregled originalne preporuke za više informacija te na instalaciju nadogradnje u kojoj su sigurnosni propusti ispravljeni. |
|
Izvorni tekst preporuke
openSUSE Security Update: MozillaFirefox, MozillaThunderbird, mozilla-nss,
seamonkey, xulrunner: June
______________________________________________________________________________
Announcement ID: openSUSE-SU-2012:0760-1
Rating: important
References: #765204
Cross-References: CVE-2011-3101 CVE-2012-0441 CVE-2012-1937
CVE-2012-1938 CVE-2012-1940 CVE-2012-1941
CVE-2012-1944 CVE-2012-1945 CVE-2012-1946
CVE-2012-1947
Affected Products:
openSUSE 12.1
openSUSE 11.4
______________________________________________________________________________
An update that fixes 10 vulnerabilities is now available.
Description:
Changes in MozillaFirefox:
- update to Firefox 13.0 (bnc#765204)
* MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
Miscellaneous memory safety hazards
* MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content
Security Policy inline-script bypass
* MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information
disclosure though Windows file shares and shortcut files
* MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free
while replacing/inserting a node in a document
* MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
Buffer overflow and use-after-free issues found using
Address Sanitizer
- require NSS 3.13.4
* MFSA 2012-39/CVE-2012-0441 (bmo#715073)
- fix sound notifications when filename/path contains a
whitespace (bmo#749739)
- fix build on arm
- reenabled crashreporter for Factory/12.2 (fix in
mozilla-gcc47.patch)
Changes in MozillaThunderbird:
- update to Thunderbird 13.0 (bnc#765204)
* MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
Miscellaneous memory safety hazards
* MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content
Security Policy inline-script bypass
* MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information
disclosure though Windows file shares and shortcut files
* MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free
while replacing/inserting a node in a document
* MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
Buffer overflow and use-after-free issues found using
Address Sanitizer
- require NSS 3.13.4
* MFSA 2012-39/CVE-2012-0441 (bmo#715073)
- fix build with system NSPR (mozilla-system-nspr.patch)
- add dependentlibs.list for improved XRE startup
- update enigmail to 1.4.2
- reenabled crashreporter for Factory/12.2 (fix in
mozilla-gcc47.patch)
- update to Thunderbird 12.0.1
* fix regressions
- POP3 filters (bmo#748090)
- Message Body not loaded when using "Fetch Headers
Only" (bmo#748865)
- Received messages contain parts of other messages
with movemail account (bmo#748726)
- New mail notification issue (bmo#748997)
- crash in nsMsgDatabase::MatchDbName (bmo#748432)
- fixed build with gcc 4.7
Changes in seamonkey:
- update to Seamonkey 2.10 (bnc#765204)
* MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
Miscellaneous memory safety hazards
* MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content
Security Policy inline-script bypass
* MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information
disclosure though Windows file shares and shortcut files
* MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free
while replacing/inserting a node in a document
* MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
Buffer overflow and use-after-free issues found using
Address Sanitizer
- requires NSS 3.13.4
* MFSA 2012-39/CVE-2012-0441 (bmo#715073)
- update to Seamonkey 2.9.1
* fix regressions
- POP3 filters (bmo#748090)
- Message Body not loaded when using "Fetch Headers
Only" (bmo#748865)
- Received messages contain parts of other messages
with movemail account (bmo#748726)
- New mail notification issue (bmo#748997)
- crash in nsMsgDatabase::MatchDbName (bmo#748432)
- fixed build with gcc 4.7
Changes in mozilla-nss:
- update to 3.13.5 RTM
- update to 3.13.4 RTM
* fixed some bugs
* fixed cert verification regression in PKIX mode
(bmo#737802) introduced in 3.13.2
Changes in xulrunner:
- update to 13.0 (bnc#765204)
* MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
Miscellaneous memory safety hazards
* MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content
Security Policy inline-script bypass
* MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information
disclosure though Windows file shares and shortcut files
* MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free
while replacing/inserting a node in a document
* MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
Buffer overflow and use-after-free issues found using
Address Sanitizer
- require NSS 3.13.4
* MFSA 2012-39/CVE-2012-0441 (bmo#715073)
- reenabled crashreporter for Factory/12.2 (fixed in
mozilla-gcc47.patch)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 12.1:
zypper in -t patch openSUSE-2012-333
- openSUSE 11.4:
zypper in -t patch openSUSE-2012-333
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 12.1 (i586 ia64 x86_64):
mozilla-nss-debugsource-3.13.5-9.16.1
xulrunner-debugsource-13.0-2.29.2
- openSUSE 12.1 (i586 x86_64):
MozillaFirefox-13.0-2.30.1
MozillaFirefox-branding-upstream-13.0-2.30.1
MozillaFirefox-buildsymbols-13.0-2.30.1
MozillaFirefox-debuginfo-13.0-2.30.1
MozillaFirefox-debugsource-13.0-2.30.1
MozillaFirefox-devel-13.0-2.30.1
MozillaFirefox-translations-common-13.0-2.30.1
MozillaFirefox-translations-other-13.0-2.30.1
MozillaThunderbird-13.0-33.23.2
MozillaThunderbird-buildsymbols-13.0-33.23.2
MozillaThunderbird-debuginfo-13.0-33.23.2
MozillaThunderbird-debugsource-13.0-33.23.2
MozillaThunderbird-devel-13.0-33.23.2
MozillaThunderbird-translations-common-13.0-33.23.2
MozillaThunderbird-translations-other-13.0-33.23.2
chmsee-1.99.08-2.18.3
chmsee-debuginfo-1.99.08-2.18.3
chmsee-debugsource-1.99.08-2.18.3
enigmail-1.4.2+13.0-33.23.2
enigmail-debuginfo-1.4.2+13.0-33.23.2
libfreebl3-3.13.5-9.16.1
libfreebl3-debuginfo-3.13.5-9.16.1
libsoftokn3-3.13.5-9.16.1
libsoftokn3-debuginfo-3.13.5-9.16.1
mozilla-js-13.0-2.29.2
mozilla-js-debuginfo-13.0-2.29.2
mozilla-nss-3.13.5-9.16.1
mozilla-nss-certs-3.13.5-9.16.1
mozilla-nss-certs-debuginfo-3.13.5-9.16.1
mozilla-nss-debuginfo-3.13.5-9.16.1
mozilla-nss-devel-3.13.5-9.16.1
mozilla-nss-sysinit-3.13.5-9.16.1
mozilla-nss-sysinit-debuginfo-3.13.5-9.16.1
mozilla-nss-tools-3.13.5-9.16.1
mozilla-nss-tools-debuginfo-3.13.5-9.16.1
seamonkey-2.10-2.21.2
seamonkey-debuginfo-2.10-2.21.2
seamonkey-debugsource-2.10-2.21.2
seamonkey-dom-inspector-2.10-2.21.2
seamonkey-irc-2.10-2.21.2
seamonkey-translations-common-2.10-2.21.2
seamonkey-translations-other-2.10-2.21.2
seamonkey-venkman-2.10-2.21.2
xulrunner-13.0-2.29.2
xulrunner-buildsymbols-13.0-2.29.2
xulrunner-debuginfo-13.0-2.29.2
xulrunner-devel-13.0-2.29.2
xulrunner-devel-debuginfo-13.0-2.29.2
- openSUSE 12.1 (x86_64):
libfreebl3-32bit-3.13.5-9.16.1
libfreebl3-debuginfo-32bit-3.13.5-9.16.1
libsoftokn3-32bit-3.13.5-9.16.1
libsoftokn3-debuginfo-32bit-3.13.5-9.16.1
mozilla-js-32bit-13.0-2.29.2
mozilla-js-debuginfo-32bit-13.0-2.29.2
mozilla-nss-32bit-3.13.5-9.16.1
mozilla-nss-certs-32bit-3.13.5-9.16.1
mozilla-nss-certs-debuginfo-32bit-3.13.5-9.16.1
mozilla-nss-debuginfo-32bit-3.13.5-9.16.1
mozilla-nss-sysinit-32bit-3.13.5-9.16.1
mozilla-nss-sysinit-debuginfo-32bit-3.13.5-9.16.1
xulrunner-32bit-13.0-2.29.2
xulrunner-debuginfo-32bit-13.0-2.29.2
- openSUSE 12.1 (ia64):
libfreebl3-debuginfo-x86-3.13.5-9.16.1
libfreebl3-debuginfo-x86-debuginfo-3.13.5-9.16.1
libfreebl3-x86-3.13.5-9.16.1
libsoftokn3-debuginfo-x86-3.13.5-9.16.1
libsoftokn3-debuginfo-x86-debuginfo-3.13.5-9.16.1
libsoftokn3-x86-3.13.5-9.16.1
mozilla-js-debuginfo-x86-13.0-2.29.2
mozilla-js-debuginfo-x86-debuginfo-13.0-2.29.2
mozilla-js-x86-13.0-2.29.2
mozilla-nss-certs-debuginfo-x86-3.13.5-9.16.1
mozilla-nss-certs-debuginfo-x86-debuginfo-3.13.5-9.16.1
mozilla-nss-certs-x86-3.13.5-9.16.1
mozilla-nss-debuginfo-x86-3.13.5-9.16.1
mozilla-nss-debuginfo-x86-debuginfo-3.13.5-9.16.1
mozilla-nss-sysinit-debuginfo-x86-3.13.5-9.16.1
mozilla-nss-sysinit-debuginfo-x86-debuginfo-3.13.5-9.16.1
mozilla-nss-sysinit-x86-3.13.5-9.16.1
mozilla-nss-x86-3.13.5-9.16.1
xulrunner-debuginfo-x86-13.0-2.29.2
xulrunner-debuginfo-x86-debuginfo-13.0-2.29.2
xulrunner-x86-13.0-2.29.2
- openSUSE 11.4 (i586 ia64 x86_64):
mozilla-nss-debugsource-3.13.5-44.1
- openSUSE 11.4 (i586 x86_64):
MozillaFirefox-13.0-25.2
MozillaFirefox-branding-upstream-13.0-25.2
MozillaFirefox-buildsymbols-13.0-25.2
MozillaFirefox-debuginfo-13.0-25.2
MozillaFirefox-debugsource-13.0-25.2
MozillaFirefox-devel-13.0-25.2
MozillaFirefox-translations-common-13.0-25.2
MozillaFirefox-translations-other-13.0-25.2
MozillaThunderbird-13.0-21.2
MozillaThunderbird-buildsymbols-13.0-21.2
MozillaThunderbird-debuginfo-13.0-21.2
MozillaThunderbird-debugsource-13.0-21.2
MozillaThunderbird-devel-13.0-21.2
MozillaThunderbird-translations-common-13.0-21.2
MozillaThunderbird-translations-other-13.0-21.2
enigmail-1.4.2+13.0-21.2
enigmail-debuginfo-1.4.2+13.0-21.2
libfreebl3-3.13.5-44.1
libfreebl3-debuginfo-3.13.5-44.1
libsoftokn3-3.13.5-44.1
libsoftokn3-debuginfo-3.13.5-44.1
mozilla-nss-3.13.5-44.1
mozilla-nss-certs-3.13.5-44.1
mozilla-nss-certs-debuginfo-3.13.5-44.1
mozilla-nss-debuginfo-3.13.5-44.1
mozilla-nss-devel-3.13.5-44.1
mozilla-nss-sysinit-3.13.5-44.1
mozilla-nss-sysinit-debuginfo-3.13.5-44.1
mozilla-nss-tools-3.13.5-44.1
mozilla-nss-tools-debuginfo-3.13.5-44.1
seamonkey-2.10-21.2
seamonkey-debuginfo-2.10-21.2
seamonkey-debugsource-2.10-21.2
seamonkey-dom-inspector-2.10-21.2
seamonkey-irc-2.10-21.2
seamonkey-translations-common-2.10-21.2
seamonkey-translations-other-2.10-21.2
seamonkey-venkman-2.10-21.2
- openSUSE 11.4 (x86_64):
libfreebl3-32bit-3.13.5-44.1
libfreebl3-debuginfo-32bit-3.13.5-44.1
libsoftokn3-32bit-3.13.5-44.1
libsoftokn3-debuginfo-32bit-3.13.5-44.1
mozilla-nss-32bit-3.13.5-44.1
mozilla-nss-certs-32bit-3.13.5-44.1
mozilla-nss-certs-debuginfo-32bit-3.13.5-44.1
mozilla-nss-debuginfo-32bit-3.13.5-44.1
mozilla-nss-sysinit-32bit-3.13.5-44.1
mozilla-nss-sysinit-debuginfo-32bit-3.13.5-44.1
- openSUSE 11.4 (ia64):
libfreebl3-debuginfo-x86-3.13.5-44.1
libfreebl3-debuginfo-x86-debuginfo-3.13.5-44.1
libfreebl3-x86-3.13.5-44.1
libsoftokn3-debuginfo-x86-3.13.5-44.1
libsoftokn3-debuginfo-x86-debuginfo-3.13.5-44.1
libsoftokn3-x86-3.13.5-44.1
mozilla-nss-certs-debuginfo-x86-3.13.5-44.1
mozilla-nss-certs-debuginfo-x86-debuginfo-3.13.5-44.1
mozilla-nss-certs-x86-3.13.5-44.1
mozilla-nss-debuginfo-x86-3.13.5-44.1
mozilla-nss-debuginfo-x86-debuginfo-3.13.5-44.1
mozilla-nss-sysinit-debuginfo-x86-3.13.5-44.1
mozilla-nss-sysinit-debuginfo-x86-debuginfo-3.13.5-44.1
mozilla-nss-sysinit-x86-3.13.5-44.1
mozilla-nss-x86-3.13.5-44.1
References:
http://support.novell.com/security/cve/CVE-2011-3101.html
http://support.novell.com/security/cve/CVE-2012-0441.html
http://support.novell.com/security/cve/CVE-2012-1937.html
http://support.novell.com/security/cve/CVE-2012-1938.html
http://support.novell.com/security/cve/CVE-2012-1940.html
http://support.novell.com/security/cve/CVE-2012-1941.html
http://support.novell.com/security/cve/CVE-2012-1944.html
http://support.novell.com/security/cve/CVE-2012-1945.html
http://support.novell.com/security/cve/CVE-2012-1946.html
http://support.novell.com/security/cve/CVE-2012-1947.html
https://bugzilla.novell.com/765204
--
To unsubscribe, e-mail: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
For additional commands, e-mail: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Posljednje sigurnosne preporuke